Ensure that authorizations are reassessed when a significant change affects the security or privacy posture of an application, consistent with the requirements of VA Handbook 6500.
Reevaluate the risk determination for the Patient Advocate Tracking System‑Replacement and determine the appropriate security categorization level and system classification based on (1) the sensitive personal information maintained in the system and (2) the System Security Categorization Report.
Reevaluate whether there is a continued business need to maintain access to veterans’ medical records in the Patient Advocate Tracking System-Replacement.
Institute a process to ensure user roles are regularly reviewed for continued access and evaluate the effectiveness of the access control principle of least privilege to ensure roles for the Patient Advocate Tracking System-Replacement are correctly configured and allow access only for authorized users.
Update the Patient Advocate Tracking System-Replacement user guides and training materials.